-
-
Notifications
You must be signed in to change notification settings - Fork 357
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor string eval for scope_condition #227
Comments
Personally I'm not sure how we could work around this. Supplying the scope as a string is very handy sometimes. The only way this is insecure is if the developer wants to shoot themselves in the foot and supply a silly scope condition. I don't think there's a way to have the scope condition interfered with from outside the app code since this is all evaluated at boot time. |
I not sure if this is related but I used |
Yes, it is a bit counter-intuitive. The string/symbol thing has been around as long as the library as far as I know. One of my contractors is doing some refactor of the structure of @ledestin what were your thoughts on this again? |
If an array is passed, it's treated differently from a scalar. You could code that strings aren't changed, but to a |
That's an idea. It starting to get very subtle though. I just remembered the conversation we had about inspecting the models acts_as_list :add_new_at => :top
def scope_condition
['notice_area_id = ? AND ? >= CURDATE()', notice_area_id, end_date.to_s(:db)]
end
# A custom acts_as_list scope requires a custom scoped_changed? method
def scope_changed?
changed.include?('notice_area_id') ||
changed.include?('end_date') && (
changes['end_date'][0] >= Time.zone.now.beginning_of_day &&
changes['end_date'][1] < Time.zone.now.beginning_of_day ||
changes['end_date'][1] >= Time.zone.now.beginning_of_day &&
changes['end_date'][0] < Time.zone.now.beginning_of_day
)
end |
Closing this for now. |
This code needs to be looked at:
Some work has been done here previously by @rdvdijk: #215
Any thoughts @swanandp?
The text was updated successfully, but these errors were encountered: